It's Time to Arrest Cyber Crime

As the bad guys get ever more sophisticated, even more ambitious efforts to thwart them are needed. Here are some tips

Last year for the first time, proceeds from cyber crime were greater than proceeds from the sale of illegal drugs, according to recent comments by Valerie McNiven, an adviser to the U.S. Treasury Dept. "Cyber crime is moving at such a high speed that law enforcement cannot catch up with it," she says.

The profile of the typical cyber criminal is changing fast, too. If you think that's a lone hacker sitting in a college dorm or a basement recreation room, think again. Cyber crime is rapidly evolving from the domain of misguided pranksters, to elaborate, profit-driven schemes involving organized-crime syndicates that may be based around the block, or halfway around the world. It's estimated that 85% of malware today is created with profit in mind. The sobering corollary to that statistic: only 5% of cyber criminals are caught and prosecuted.

Just as crime will prevent people from moving into a neighborhood, so also will cyber crime make people reluctant to enter and trust the electronic world. This will hinder interchange between people, businesses, and governments, impacting everything from education to commerce.


  So, if cyber criminals are more organized today than ever before, our response to them must also take on new structure and focus. Individuals, organizations, law enforcement, and info-tech solutions providers must all join to take on the evolving challenge of cyber crime. Specifically, new strategies and solutions are needed in three key areas -- people, policies, and technology.

Let's start with the people factor. One key to thwarting cyber criminals: figure out what makes them tick. In the mid-1990s, high-tech companies realized that a key step to improving the security and privacy of a business' IT infrastructure was to try to break into it. This resulted in a new job category: "the ethical hacker."

These are highly trustworthy individuals and teams who understand how malicious hackers work and who use their skills to detect vulnerabilities and devise ways to mitigate, or even eliminate, security weaknesses. And it's done all in cooperation with clients or law enforcement.


  In the early days of ethical hacking, these professionals were able to successfully break into their targets 80% of the time. It's unfortunate that this rate of success has not notably decreased, a sign that today's systems remain vulnerable as hackers continue to adapt to new security measures. However, the lessons learned by these early ethical hackers are being incorporated into the practices of modern law enforcement around the world.

Just as today's law-enforcement agencies deploy specialized teams in counterterrorism and white-collar crime, cyber-crime expertise has become a requirement as well. The FBI has already identified fighting cyber- and high-technology crimes as No. 3 among its top 10 priorities.

Aside from better understanding how criminals are thinking and acting, the "people factor" also means achieving a better understanding of the potential implications of our own behavior. Organizations must look at their security programs, not only at a technical level, but down to the actions of each person and how he or she interacts with the online ecosystem. Behavioral insight will help fight not only intrusions into the network but extrusions in which users may, inadvertently or knowingly, permit data to fall into the wrong hands.


  Then there's the matter of policy. Security policy deals with the hundreds, even thousands, of laws and regulations with which organizations must comply. Equally important, however, security policy refers to the policies organizations create for themselves, their business partners, and customers: expectations for behaviors and outcomes that an organization has in place to create a secure environment in which to do business.

Security policies enable the governance that protects one of the most valuable assets of a company -- its data, relating to both corporate secrets and the private data of its employees and customers.

But policy is not purely a go-it-alone concept, especially in our increasingly interconnected online world. A group of more than 40 organizations, including American Express (AXP), Citigroup (C), Merrill Lynch (MER), and IBM (IBM), has formed the Data Governance Council. This global effort is aimed at going beyond traditional approaches to security, privacy, compliance, and operational-risk policy, in an effort to promote a more complete approach to data governance.


  Data governance helps organizations fix decades of indulgent data-collection practices. Companies have more data than they need -- they don't know where it is, what it's worth, who owns it, who maintains it, or what it will cost the organization if it's stolen. They're concerned about governing access to confidential data such as legal contracts, patents, trade secrets, software code, financial data, stock trades, merger-and-acquisition activity, and patient records. The council is working to define technology and policies for helping companies get a grip on the data deluge.

Finally, no approach to fighting cyber crimes is complete without careful consideration of technology. No one should underestimate the technical capabilities of today's cyber criminals. So new technology must be developed to go beyond rapid response, to anticipating and heading off new cyber-crime techniques.

One approach involves broader use of an established capability: cryptography. Simply defined, cryptography is the process of translating data into a format that can be read only by authorized users. This can be used, for instance, to protect customer information stored on tapes, so it can't be read if the tapes fall into the wrong hands.


  Encryption has been a mainstay of mainframe computing for decades. But today's challenge is how to extend it to every touchpoint on the network. More than half of all corporate data doesn't reside on a server, but on someone's PC, PDA, or cell phone. The economics of protecting data with cryptography must be addressed to keep it cost-effective, wherever that data lives.

The use of cryptography is one example of how we in the IT community must also take more seriously the need for "security engineering" in the design and development of our hardware and software systems. You wouldn't want to add air bags to an automobile after you bought it, but too often that's how the IT industry has treated security: as an add-on. Enhanced security capabilities, including ease of use and performance, must be a part of the mindset from the ground up.

As a recent report from the Center for Strategic & International Studies stated, cyber crime "is the organized crime of the 21st century." Yet, the bad guys are hardly the only ones to have figured out that there's strength in numbers. By marshalling the collective skills and expertise of individuals and organizations in both the private and public sectors, we can equip the people, implement the policies, and deploy the technologies that will help secure our networked world.

Before it's here, it's on the Bloomberg Terminal.